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Abstract 



We briefly review the security of the ping-pong protocol in light of several attack scenarios suggested by various authors since the 
O-lproposal of the protocol. We refute one recent attack on an ideal quantum channel, and show that a recent claim of falseness of 
w our original security proof is erroneous. 
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It is now five years that we proposed a quantum cryp- 
tographic protocol pQ whose novel feature was that the 
bits are transmitted in a deterministic manner: Alice, the 
sender, determines the bit value decoded by Bob, the re- 
ceiver. Thereby, the transmission efficiency is doubled as 
compared to non-deterministic protocols like the BB84 [2] , 
where only 50% of the transmitted bits can be used for 
communication purposes. We were able to rigorously prove 
that in the case of a perfect quantum channel any effective 
eavesdropping attack can be detected. Specifically, when 
Eve, the eavesdropper, tries to gain full information, that is 
Jo = 1 bit per message bit, then the detection probability 
reads d = 1/2 per control bit. For comparison, in a similar 
scenario with Eve fully attacking all transmitted bits, the 
BB84 protocol provides a detection probability of d = 1/4 
per control bit. 

Due to its deterministic nature, the protocol allows two 
parties to communicate directly in a secure manner. More 
precisely, the direct communication is quasi-secure, which 
means that the probability for an eavesdropper to remain 
undetected declines exponentially with the length of the 
message transmitted. Alternatively, when perfect asymp- 
totic security is required, the protocol can be used as a 
quantum key distribution scheme: The sender transmits a 
meaningless stream of random bits upon which the usual 
techniques of error correction and privacy amplification can 
be applied so that a shared secret key is established for later 
use in classical encryption. 

One peculiarity of the protocol is that the carrier of in- 
formation, a single qubit, is travelling forth and back be- 
tween sender and receiver, which motivated the name ping- 
pong protocol. Another peculiarity is that sender and re- 



ceiver randomly switch between two modes: message mode 
and control mode. Only in message mode a message bit is 
transferred and only in control mode an eavesdropper can 
be detected with a certain probability. The fact that the 
mode can only be noticed by the eavesdropper when it is 
too late to escape detection, is an important ingredient to 
the security of the protocol and requires careful attention 
in experimental implementations. 

One experimental implementation of the ping-pong pro- 
tocol using entangled photons has been accomplished at the 
quantum optics lab in Potsdam, Germany, where the ran- 
dom switching between message mode and control mode is 
realized in an elegant way [3] . 

Also meanwhile, several alternative quantum crypto- 
graphic protocols have been proposed that are tailored 
along the scheme of the original ping-pong protocol, 
providing improved efficiency or experimental feasibil- 
ity |4|5|6|7|8| . Since the security of these protocols is based 
on the security of the original one, we would like to give 
a brief review on the security situation of the ping-pong 
protocol as it appears nowadays, after several attempts to 
attack the protocol in the case of either a perfect or an 
imperfect quantum channel. Furthermore, we will show 
that some recent claims that the protocol is insecure and 
that the security proof is wrong, are erroneous. 

2. The protocol in short 

Bob, the receiver of information, prepares two qubits in 
the Bell state = -^(\01) ht + \10) h t), where h and t 

refer to the home and travel qubit, respectively. He sends 
the travel qubit to Alice who randomly selects either mes- 
sage mode or control mode. In message mode, Alice ap- 
plies the encoding operation Z t (j) = o~\ to the travel qubit, 



where j S {0, 1} represents the message bit. For j = 1, 
the encoding operation transforms \^ + )ht into \*f!~)ht and 
for j = the state is left unchanged. After encoding, Alice 
sends the qubit back to Bob, who then applies a Bell mea- 
surement on both qubits, yielding either \^ + )ht or \^~~)hti 
thereby revealing the message bit j. In control mode, Al- 
ice measures the travel qubit in the z-basis and announces 
the result via the public channel. Upon receiving the an- 
nouncement, Bob measures his home qubit in the z-basis 
and compares both results. If they differ, the protocol is 
continued, otherwise aborted. 

3. Cai's DOS-attack 

Qing-yu Cai [9] has proposed a simple attack scheme 
that disturbs the information transmission without being 
detectable and without revealing any message information, 
that is, a denial- of- service (DoS) attack: Eve measures ev- 
ery qubit travelling from Alice to Bob in the z-basis. Ac- 
cording to the protocol, there is no security check for qubits 
travelling back from Alice to Bob, hence the attack remains 
undetected. As the attack destroys the entanglement be- 
tween home and travel qubit, the bit read out by Bob is 
completely uncorrelated with the bit encoded by Alice, so 
the message is scrambled. Since Eve's measurement result 
is completely random, she does not gain any message in- 
formation. 

Let us point out that a trivial modification of the attack 
even allows Eve to derministically change the information 
transmitted on the channel by flipping message bits of her 
choice: Instead of measuring the qubit, Eve applies a (re- 
operation. This way, Eve is able to alter message informa- 
tion, albeit in a "blind" way. Altogether, the protocol in 
its original form protects the confidentiality of the message 
but not the integrity (just like the classical one-time pad). 

Cai himself has proposed fairly simple ways to protect 
the protocol against this type of attack: either quantum 
mechanically, by slightly modifying the control mechanism, 
or classically, by performing one of the standard methods 
of message authentification [10] . 

4. Wojcik's attack on a lossy quantum channel 

So far, the ping-pong protocol is provably secure only for 
the case of a perfect quantum channel. Any imperfection of 
the channel potentially opens the door to effective and un- 
detectable eavesdropping. Since all quantum cryptographic 
protocols are confronted with such a problem, the standard 
procedure is to introduce additional steps of error correc- 
tion and privacy amplification using the public channel to 
distill an asymptotically perfectly secure key. These proce- 
dures can be successful exactly if the mutual information 
between sender and receiver is greater than that between 
sender and eavesdropper [TT] . 

Antoni Wojcik [12] proposed a smart eavesdropping at- 
tack scheme that works on a lossy quantum channel and 



enables the eavesdropper to gain message information with- 
out being detected. 

The basic idea is the following. After receiving the travel 
qubit from Bob, Eve appends an ancilla system TC xy in some 
initial state \eo) X y to the system TLm of travel qubit and 
home qubit in its initial state, yielding the state 

|init> = -L(|01) + \l0)) ht \e o ) xy . (1) 

She then unitarily transforms this initial state into 

|B-A) = 5 |0) h (|l)t|ei) xl , + |vac) t |e 2 ) a;y ) 

2 ! (2) 
+ 2\ l )h{\$)t\e?>) X y + |vac) t |e 4 )^), 

where |ei),. . . ,|e4) are mutually orthogonal. Then Eve re- 
sends the travel qubit to Alice, whose encoding operation 
o~{ on the travel qubit yields 

|B-A') J-\Q) h ((-l)i\l) t \ ex ) xy + |vac) 4 |e 2 ) XJ/ ) 

2 ! (3) 
+ 2l 1 )ft.(l°)*l e 3)xj/ + |vac) t |e 4 )xj/). 

It can directly be seen from the above terms that upon cap- 
turing the travel qubit being sent from Alice to Bob, Eve is 
able to find the message bit j with probability 1/2 by mea- 
suring the txy system in a suitable basis or, equivalently, 
by performing some unitary operation on the txy system 
and then measuring in the computational basis. In a con- 
trol run the travel mode is found to be in the vacuum state 
with probability 1/2. Hence, Eve's attack introduces 50% 
channel losses if she attacks all the time. 

If the efficiency of the channel is 77 < 0.5 then Eve re- 
places the lossy channel with a better one, so that the chan- 
nel exactly mimics the losses expected by Alice and Bob. 
That way, she can attack all transmissions while staying 
undetectable, and she creates mutual information between 
herself and Alice that exceeds the mutual information be- 
tween Alice and Bob. Hence, even with error correction and 
privacy amplification, the protocol would not be secure. If 
0.5 < rj < 0.6, she attacks the fraction /i = 2(1 — rf) of 
qubits. For efficiencies above 0.6, the mutual information 
between Alice and Eve falls below the mutual information 
between Alice and Bob, so that error correction and privacy 
amplification can establish the security of the protocol. 

Fortunately, Wojcik himself proposed in the same paper 
two solutions to protect the protocol against his attack. 
One solution is to estimate the qubit error rate (QBER) 
which, however, forces Alice and Bob to sacrifice some of 
their message bits. The other solution is to delay Alice's 
announcement of the transmission mode (message or con- 
trol), until Bob has checked if there is an additional photon 
in the travel mode. This way, the attack can be detected 
because the particular attack operation not only produces 
channel losses, but also (with probability 1/2) inserts a pho- 
ton into the travel mode which in control mode should be in 
vacuum state after Alice's measurement. Such an "illegal" 
photon travelling to Bob would, if detected, immediately 
reveal the presence of the eavesdropper. 



In summary, Wojcik's attack exploits a security hole of 
the protocol in the realistic case of an imperfect quantum 
channel using photons. A fairly simple modification of the 
protocol closes the hole and restores the security of the 
protocol. 

5. The ZML-attack on an imperfect quantum 
channel 

In [T5], Zhan-jun Zhang, Zhong-xiao Man, and Yong Li 
improved Wojcik's attack by expanding the domain of ef- 
fective eavesdropping from nearly 60% to nearly 80% chan- 
nel efficiency. The basic idea is fully analoguous to Wojcik's 
scheme [12] . Eve appends an ancilla system Tt xy and uni- 
tarily transforms the state ((T|) into the state 
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where |ei},. . . \e£) are mutually orthogonal. Alice's encod- 
ing operation on the travel qubit yields 



|B-A') =^|0) h ((-iy|l) t | ei ) ay + |vac) t |e 2 ) X!/ ) 
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Again, by measuring the txy system Eve finds the mes- 
sage bit j with probability 1/2. In a control run, the travel 
mode is found to be in the vaccum state with probability 
1/4. Hence, Eve's attack introduces 25% channel losses if 
she attacks all the time. Reasoning analoguous to that in 
Wojcik's publication reveals that the ping-pong protocol 
can be successfully attacked for channel efficiencies up to 
nearly 80%. However, also here the security of the protocol 
can be re-established by introducing the same countermea- 
sures suggested by Wojcik. 

6. The ZLM-attack on a perfect quantum channel 

Recently, the same three authors proposed an attack 
scheme against the ping-pong protocol, enabling the eaves- 
dropper to read out message information without being de- 
tected even in the case of a perfect quantum channel, in con- 
tradiction to our rigorous security proof for this case |16j . 
However, their attack scheme is faulty: 

According to their attack scheme, Eve prepares an ancilla 
state |x) = | vac, 0) xy in two additional modes x and y, and 
applies a unitary operation W txy (Eq. (2) in [TH]) on the 
compound system txy of the travel qubit and the ancilla 
modes during the B-A-transmission. Afterwards, the total 
system is in the state 



\B-A) = 2|0,l) M (|vac,0) av + |l,vac) BV ) 
+ ^l 1 5 0)/ lt (|vac, l) xy + |0,vac) x 



(6) 



It is clear that this attack operation cannot be detected 
by the control measurements of the ping-pong protocol: z- 
basis measurements on h and t will still be strictly anticor- 
related. 

In message mode, Alice applies the encoding operation 
a 3 z to the travel photon, where j £ {0, 1} represents 
the message bit, and sends the photon back to Bob. Eve 
intercepts the travel photon, applies the inverse operation 
Wfay on the compound system txy, resends the travel pho- 
ton to Alice and keeps her ancilla system. The authors claim 
that a measurement on the ancilla system reveals informa- 
tion about the message bit j encoded by Alice. Indeed, the 
authors' Eq. (7), which supposedly shows the state \A—B) 
after Eve's (A-B)-attack operation W tx „, indicates that the 
message bit j is partly encoded in the state of the y photon: 



+ (*«-*ht)|0)« Ivac) 



(7) 



Obvously, a computational-basis measurement by Eve 
on the y-mode reveals the message bit j with probability 
1/2, otherwise it yields 0. However, this crucial equation is 
wrong, which can be seen as follows. When Alice applies her 
encoding operation to the travel photon t, the total system 
is in the state 
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(-iy|0,l) w |xi)*v + |l,0> ht |xo). 



where we have set 



\xi)xy = -^=(|vac,0) xy + |l,vac) xy ) 
\xo)x V = — ^(|vac, l) xy + |0,vac) X j,). 



(8) 

(9) 
(10) 



As can be seen from above, the message bit j is encoded 
in the relative phase between the two components of the 
superposition. Since Eve has no access to the home photon 
h, she can in no way read out the relative phase. Generally, 
consider a state in the space Hh ® He of the form 



|*> =a\h 1 ) h \e 1 ) E + [3e i *\h 



2 1P2 £, 



(11) 



with (ft.1l/i2) = 0, and a, (3 > 0, and where Eve has only 
access to the system in He- Then for Eve the state of the 
entire system is indistinguishable from the reduced density 
matrix 



PE = Tr h {\^)(rP\} 

= a 2 |ei)(ei|is + /3 2 |e 2 )(e 2 |£;, 



(12) 
(13) 



where the relative phase 4> is no longer available. 

In the present case, the density matrix of the total state 
after Alice's encoding operation is 
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Pi 



= Zl\B-A)(B-A\Z? 



|01)w|Xi> ■>"ii 

(-l) J |01) M |xi)*»(10Ut(xo|»v ( 14 ) 
(-l) i |10)w|xo)xy(OlU t (xiU a 

|10)/ l t|xo)^(10Ut(xoUy ■ 



The state of the system accessible to Eve is given by partial- 
tracing over the home photon h, 



(Eve) m r 1 
Pi = Tl MPj}, 



which yields 
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Pi 
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l)t\Xl)xv(l\t(Xl\xv 
\0)t\Xo)xy(0\t(Xo\xy 



(15) 



(16) 



Since pj Evc ' ) is independent of j, there is no message in- 
formation available to Eve. Consequently, the authors' cal- 
culation of the state \A—B)j, which results from the appli- 
cation of W^ xy to Z\ \B — A) must be faulty. In fact, our own 
calculations show that the state after Eve's (A-B)-attack 



W txy reads 



\a-b), = - {-iy + 



(17) 



which is different from the authors' Eq. (7) (Eq. ([7]) above) 
in that it is impossible for Eve to read out the message bit 
by any measurement performed on the ancilla system xy. 

In summary, we find that the conclusions drawn in the 
commented paper 16] are based on a miscalculation; this 
attack scheme is not effective and does not impair the se- 
curity of the ping-pong protocol. 

7. Cai's invisible photon attack 

Qing-Yu Cai [13] adapted the Trojan horse attack intro- 
duced by Gisin et al [14] to the ping-pong protocol: Eve 
feeds in an additional photon which is invisible to Alice 
and Bob's detectors, but which is affected by Alice's encod- 
ing operation. The illegal photon is inserted into the travel 
mode on the way from Bob to Alice, and it is filtered out 
during the transmission from Alice to Bob. Eve detects the 
state change of the illegal photon which is caused by Al- 
ice's encoding operation, and thereby obtains the message 
bit without being detected. Choosing a wavelength outside 
the range of Alice's detectors is one possible way to make 
the illegal photon invisible to the control measurements. As 
Cai has pointed out, the attack does not exploit a weak- 
ness of the protocol itself but rather of certain imperfect 
implementations of the protocol. He also suggests a feasible 
solution to re-establish the security of the communication: 
Alice and Bob add filters to their setup whose bandwidth 
matches the sensitivity range of the detectors. 



The generalization is straightforward: The experimental 
setup should block any quantum carriers of information 
which are invisible to the detectors but which are affected 
by the encoding operation. 

8. Zhang's claim that the security proof is wrong 

Zhan-jun Zhang challenges the validity of our security 
proof altogether [17] . We will show that the claim is based 
1) on a misunderstanding of the security proof and 2) on a 
miscalculation at a crucial point in the argument. 

The author emphasizes that in our security proof the 
eavesdropping information Jo is extracted from the travel 
qubit only. This is not the case. The maximal amount Iq of 
information that can be extracted from the system available 
to Eve, is equal to the von-Neumann information S of the 
state p" given by Eq. (8) in our original paper. The state 
p" results from Alice's encoding operation on the state p' 
which is given by our Eq. (7) as a matrix representation in 
the orthogonal basis {|0, xo), iTXi)}- As we have pointed 
out in our paper, the states |xo) and |xi) are states of 
Eve's ancilla system He- It is therefore not true that the 
information Iq is derived only from the state of the travel 
qubit. Unfortunately, though, we ourselves have made such 
misunderstanding easy because right before our Eq. (8) we 
denote p" as "the state of the travel qubit after Eve's attack 
operation and after Alice's encoding operation". This is 
a misnomer which we apologize for; it should however be 
clear from the context that p" refers to the state p' after 
Alice's encoding operation, and that the state p' explicitely 
includes Eve's ancilla system. 

Based on this misunderstanding, the author constructs a 
counterexample against the security proof, where he then 
miscalculates the information contents lot and Iq c that can 
be extracted from the travel qubit and the composite sys- 
tem, respectively. He claims that "as can easily be worked 
out", the values read lot = 1 and ioc = 2, which would be 
in contradiction to the prepositions of our security proof. 

Let us explicitely perform the calculation. According to 
the author's counterexample, Eve captures the travel qubit 
t in the state |0), attaches an ancilla system x in the state 
\ x ) x = ^(\0} x + |l) x ). We find that the state |*') of the 

composite system tx after Eve's attack operation E given 
by the author reads 



\V)=E{\0) t \ X ) x ) 

= £-^(|00> te + |01) tx ) 



1 



h\Xo) 



V2> 

where we have set 
\ Xo ) x = -L(\0) x + \l) x ) 

| Xl ) x = -L(|i) s -|oy. 



^=|l)i|Xl)x, 



(18) 
(19) 

(20) 
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The state |\&') has exactly the form given in Eq. (4) of our 
security proof, with a = [3 — 4g . When Alice encodes "0" 
she applies the unity operation which gives \$>' Q ) = 
when she encodes "1" she applies a z to the travel qubit 
which gives 

\*[) = l=\0) t \ Xo ) x -l=\l) t \ Xl ) x . (23) 

Note that \^f[) is orthogonal to |$d). Assuming that she 
encodes "0" or "1" with equal probability (which is tacitly 
assumed by the author), the state of the composite system 
tx reads 

p" = \\K){<\ + \\*'i){*% (24) 

which has the entropy Iq c — S(p") — 1, in contrast to the 
authors' result. In fact, the author's value of Iq c — 2 would 
be very surprising: Alice encoded at most one classical bit 
by a unitary operation, so the entropy of the resulting state 
cannot be higher than one bit. For security reasons, our 
protocol makes use only of a 2-dimcnsional subspace of the 
full 4-dimcnsional Hilbert space spanned by two qubits, 
and the entropy of a state in a 2-dimcnsional subspace is 
at most 1 bit. 

9. Conclusion 

So far, the ping-pong protocol has resisted all serious 
attacks brought forward in the last five years, albeit with 
slight modifications of the scheme. For the ideal case of a 
perfect quantum channel, the initial security proof holds 
and is both rigorous and general. For the realistic case of 
an imperfect quantum channel, there is no general security 
proof but the protocol seems to retain its security. 

We suggest that future efforts should go into either figur- 
ing out more attack scenarios exploiting channel imperfec- 
tions under realistic circumstances or into finding a general 
proof for the unconditional security of (a suitable exten- 
sion of) the ping-pong protocol in the case of an imperfect 
quantum channel. 
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